By now you have heard about a new bug in one of the most popular Unix shell programs, the Bourne Shell, or bash. If you run Mac OSX you probably have used bash, it is the default terminal app. Shellshock is a “bug” in the way Heartbleed is a “bug.” A mistake in implementing code. Shellshock allows anyone (or anything) that has shell access to execute arbitrary code.
Robert Graham at errata security wrote a little test to demonstrate how he could get machines to execute ping commands. There are lots of vulnerable machines. Someone has already taken Rob’s script and modified it to download malware. That’s what a worm does. Note the “Thanks-Rob” in the code giving Graham credit.
This is one of the easiest exploits ever to incorporate into just about any attack scenario. Heartbleed, was much more difficult to take advantage of but led to at least one damaging attack. TrustedSec has attributed the CHS breach to the presence of the HeartBleed bug in Juniper devices.
Just about every network device (routers, switches, SDN) runs on a flavor of Unix and bash is widely deployed. Systems that are vulnerable will be those that allow components to run shell scripts, a very common short cut.
While the use of Shellshock for highly targeted attacks on systems that you probably don’t even know about within your network is the biggest long-term concern, the short term possibilities are frightening. The code linked to above could quickly create a SQL Slammer type Internet meltdown.
One of the thousands of systems that Graham has already discovered is induced to download a version of Graham’s scanner. The infected host (probably a web server) scans for it’s next targets (thousands of them) and induces them to download the exploit code (via wget in the sample code) and those in turn start scanning and exploiting.
In 2003 SQL Slammer brought the Internet down in about 12 minutes. ISPs worked over the weekend to filter out the ports that SQL Slammer used. An “easy” fix like that will not be possible since Shellshock can use any port and Graham’s test is using port 80 for HTML.
SQL Slammer was bad. But the author released it late on a Friday US East coast time, giving some indication that he/she had some cause for concern. The “Thanks-Rob” worm, when it appears, could be created easily by someone without the same compunctions and get out of control very quickly. We won’t have any warning.